Cross-domain authentication is here! Big milestone reached!

in engrave •  9 months ago  (edited)

Exposing Steem content to external world was our goal from the very beginning. Engrave was designed to become a platform which will allow users to create blogs and build brand awareness under own domain. But this is all impossible without users interaction.

Months ago, blogs' users were able to log in on every Engrave-powered blog using Steemconnect. But due to technical reasons, users had to log in independently on every blog which was a huge disadvantage and usability killer. We were aware of that, and after rewriting almost entire codebase (you can read about it in our previous blog post) to microservices, we were ready to implement solution for that.

After 25 commits and almost 10.000 changes across 146 files, it's time to introduce cross-domain authentication.

Interact with every blog easily

What does it mean in simple words? From yesterday on, you are able to log in on any blog and interact with every other without the need to log in again. It doesn't matter if the blog was created in a subdomain (like https://enjoycompany.engrave.site) or in the top-level domain like https://krzysztofszumny.pl/ or https://hobo.media/ - you will be logged in on every Engrave's blog for next 7 days.

Check it by yourself, it's fast and simple. Login on the first mentioned blog, visit the second one and check header menu. You will be logged in automatically!

We also fixed and improved all three templates on the occasion. From now, every template has integrated automatic login mechanism and the ability to read, post comment and vote in everything directly from the blog. Every blog.

And of course, it's working on mobile phones too. You know, just saying.


Security

Developing blockchain powered applications is quite complicated from the security point of view. Having your Steem private keys is like having keys to your apartment or even bank account. Lot of us have a small fortune here and we really care about security. That's why we were working on it a little bit longer than expected.

Minimal privileges

We don't want to have your keys, seriously. That's why we are using Steemconnect from the very beginning. But even with Steemconnect, it's possible to have more power than necessary. It's like with an Android Flashlight app which requires access to your private data, internet connection, and contact book.

While logging into blogs, Engrave only requires posting privileges for Vote and Comment. After all, everything you probably want to do on those blogs is to vote and comment good (or bad) quality articles.

Vault

But what to do when you already have users sensitive data like for example access tokens? Store it in industrial proved and secure place, like Hashicorp Vault system used by for example Adobe or Spaceflight corporations.

Every access token received from Steemconnect is encrypted and stored in a secure vault. Hashicorp Vault itself is secured by 5 master keys which need to be provided after every restart in order to decrypt data. Otherwise, it's impossible to have access to it.

JSON Web Token

Your secret keys don't even leave our server which is much more secure than sending it over and over through Internet network. We are using JWT tokens to authenticate you on blogs and this token is only able to authenticate you in our API. Even if someone steals it - it's useless in place other than Engrave, so you don't need to worry.


Next milestones

We are aware of some technical problems and visual imperfections of blogs' templates and dashboard. We will fix every bug, either it is small or big. We're doing everything we can to provide the best possible solution for both bloggers and readers but our time is limited. This is how our life and work looks like:

So... please be patient... but also use Engrave, test everything, give us feedback and resteem this post. Without that, it's impossible to go forward!

We already wrote a long post about Engrave future but due to a completely new architecture introduced two weeks ago, some of them might be outdated, some of them has been changed and some of them will be introduced sooner than later and it will be exciting.

Make sure you follow @engrave profile and please, stay tuned!


We are @wise-team

If you see this project interesting and useful, consider voting on us as we are a Witness called @wise-team. We are a group of people that just want to bring bright future for Steem network. Check our webpage https://wise-team.io and see our other projects.

One of our next biggest milestone, which we will introduce soon, is the ability to create Engrave blogs on demand for people without Steem account. Unfortunately, our investment into Steem Power let us only claim one single account every few days. While developing a technical solution, we do claim accounts even now to be ready. But it's not enough... we want to bring more and more people here!

You can easily help us reach our goals by just voting on us. But you know, no pressure.


Originally posted on ENGRAVE Blog. Steem blog powered by ENGRAVE.

Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  

Wow, what a great update! Making it so that users don't have to log in every time is definitely a huge improvement to the user experience. I'm very impressed with the amount of work that has been put into this update as well.

As for the code, it's mostly really great, but there are some things that I was wondering. In files such as sso_rest.js var is used a lot and the quality in general seems a bit lower than other parts of the codebase. For example, in authorize.ts the quality of the code is better, and const is used instead of var. I'm guessing that the former was taken from somewhere else, whereas the latter was written by yourself? If that's the case, then in my opinion you should mention this somewhere in the code at least, and maybe even in the post itself.

Either way, as I said before, this is a great update and it's obvious a lot of work went into it. For this reason, I will be picking it as a "staff pick", which means it will receive the highest reward possible for the development category. Looking forward to seeing more contributions from you guys in the future!

P.S. it says Jason instead of JSON, haha.


Need help? Chat with us on Discord.

[utopian-moderator]

  ·  9 months ago (edited)

Thank you, I really appreciate your feedback and decision!

In files such as sso_rest.js var is used a lot and the quality in general seems a bit lower than other parts of the codebase

The entire concept of SSO was adopted from this project, and some file was untouched, like sso_rest.js (four files if I remember correctly). It looks like a POC and some files could be written much better of course. I just wanted to focus on "bigger picture" of this update. But indeed, it's necessary to refactor those files. I will do it myself or maybe open an issue on Github and let to do it by one of the Utopian users? :)

I am aware of varied code quality. Engrave codebase is a one-man-job. I personally wrote every single line of code (except for some files like CSS for themes or those third-party solutions mentioned above) and gained a lot of experience doing that. There are still a lot of places that need to be refactored but I think I'm going in the right direction. Development is now much easier than previously. And I feel better as a backend than frontend developer as you can tell from both code quality and some imperfections of appearance. And I'm focused on missing features. There will be time to fine tune everything else :)

If that's the case, then in my opinion you should mention this somewhere in the code at least, and maybe even in the post itself.

I'm going to post more detailed technical articles as part of "Engineering" category of blog.engrave.website and there this information will be provided with all other details.

P.S. it says Jason instead of JSON, haha.

Wait, what? Where? There's nothing like that, and never was ;)

Is @engrave 100% open source?

Yes

Thank you for your review, @amosbastian! Keep up the good work!

Thanks for the mention! At this point, it is not possible to add custom scripts or adds to your blog but we are going to introduce "Theme manager" where you will be able to do that.

IMO @engrave would be revolutionary if it allowed optional guest commenting through disqus, ads and blacklisting users so their comments don't show up on the blog (i.e. bots and spammers). This would allow for a clean blog anyone can access, further boosted by other sources of monetization.

We're going to allow quest comments soon but without Disqus at all. Blacklisting users will be available soon as well, we're actually working at it right now :)

Thanks for using @edensgarden!

I have a question. I just set-up a blog using the site gniksivart.dblog.org and was wondering if my blog becomes profitable and I want to buy my own domain, is there anyways I can upgrade from gniksivart.dblog.org to something like gniksivart.com, or will I have to create a new Steem account and set-up the new blog under the new Steem account?

You will be able to move your domain to custom one without the need to create another account :)

I'm trying to set up my blog. I'm trying to configure it now - need to point my custom domain to Engrave "servers". I didn't note down the servers when they first appeared, but now I can't seem to find what they are. Can you help me with the server names/addresses?

Just point A and CNAME records to 139.162.185.235 :) In case of problems, visit our Discord.

PS. We're going to push a fix that will prevent situations like this :)

Thanks I'll try that now.

cool. I only have one engrave blog but I can see how this is relevant. Very nice. Good work!

Right now, every Engrave user have one blog... But previously if you wanted to interact with for example another blog, you had to log in into it specifically. Now, after this change - if you log in on your blog, you will be logged in on any other automatically.

It's working similar to Google authentication. You just need to login into your Gmail account, and you can use Calendar, Keep etc. Much, much more user-friendly :)

Awesome! :)

Excellent work!

Posted using Partiko Android

Can you comment the link of your Engrave blog?

  • I want to visit it, to see what it looks like.

Mine is karatespace.pt

I just started. It won't be a super dynamic blog. It will work as the official site for my karate club.
I'll post some articles I usually integrate in the club newsletter. Let's see how it goes :)

Great! Will try to support you. Maybe some kind of custom template for your karate blog? :)

Thanks @rmach 😊👍🏻

Sure, you can visit it here: Engrave Blog. And here you can find much more blogs created by our users: https://engrave.website/explore

The latest blog was created by me, for @emaferice, and under the domain:

I clicked on the link on your site, listing Emafe.com as the latest blog, but it gave me a warning, saying that the site is not secure.

I clicked "Proceed anyways", and it sent me to a different blog, not Emafe.com.

Also, when I visit Emafe.com, it doesn't go to a Splash page for my wife's new @engrave blog, but goes to the Engrave.website homepage instead.

Is all of this normal? @engrave

No, I will take a look at it right now :)

It looks like you fixed it @engrave thank you 😊👍🏻

My pleasure!

Have you guys looked into supporting the Steem Keychain extension? This should allow people to automatically log in to any site without you having to store any tokens or without the user having to put their private keys into steem connect. Feel free to reach out if you need any more info about it.

I will look into it, but to be honest - I'm not a big fan of browsers extensions because of their update policy (it's possible to inject vulnerability just by an update without even a notice). But it sure might be interesting for some users so I will research this. Thanks!

Well the same could be said for steemconnect, but with the browser extension there's at least the option to download the code and run it locally, or use the Brave browser which I believe doesn't auto-update. Additionally it's much more familiar to people who use Ethereum dapps (aka most people in the crypto space). They are used to using Metamask and are rightfully very wary of putting private keys into a website.

Also from a user experience perspective keychain is so much easier. You never have to worry about where you saved your keys and copying/pasting them, especially if you have multiple accounts. You just type in the username you want and you're good to go.

Thanks for the explanation - as I said, I will look into it definitely because it might be interesting :)

Impressive guys very impressive😎👍

Posted using Partiko iOS

I agree 😊

Thank you :)

Hello guys, congratulations for your excellent work! @engrave @wise-team
Just a couple of questions:

  • are you interested in an Italian (or Spanish, or both) tutorial to explain to these not english-spoken communities the ENGRAVE functions?
  • if so, would you be willing to support me?

Please let me know and keep up the good work!

Fabio

Of course, we are interested in such tutorials as it can spread information across more potential bloggers :) We would love to see that and support as much as we can. Unfortunately, our SP amount is not so big, so we can't reward you with big upvote...

And we're going to introduce a brand new dashboard within weeks and it will change a lot of things, so maybe you should wait a bit with it?

Yes of course, I can wait, no prob. I did a tutorial for another steem dapp, you can find it on my blog if you want to have a look :) actually they are 2 posts, one for Italian and one for Spanish. Names are "Come giocare a Steem Slot Games" and "Como jugar con Steem Slot Games".

Posted using Partiko Android

Hello guys, how is going on your work? Better if I wait a little bit more in order to write the Engrave tutorial?
Sorry for bother you
Fabio

Posted using Partiko Android

I think it's better to wait. I suppose it's not that far away.

Ok, just let me know when you are ready. I think engrave will be a great deal for these communities 😉 It's a really interesting project!

Posted using Partiko Android

I found your post on the trending page @engrave and must say, so far I am impressed with your initial work on creating a blogging platform with Steem login's, upvotes and comments.

I'll be very happy if I start running acrossed blogs with Steem-based comments, etc. I upvoted this post 100% and I'll follow you to observe the progress the #wise-team makes.

Thanks! You can find more blogs here: https://engrave.website/explore just take a look. Some of them might be empty but some of them are not :)

That was in fact very important missing feature. This should boost number of interactions between Engravians (did I just invented a word? :D). It will be much more easily to add comments to different blogs :)

I guess, with cross-domain authentication, it would be very difficult to implement a history of visited engrave blogs, right? :)

I guess, with cross-domain authentication, it would be very difficult to implement a history of visited engrave blogs, right? :)

Every time you reach Engrave blog, you need to be remotely validated, so yes - it should be easy to add the history of visited blogs ;)

Congratulations @engrave!
Your post was mentioned in the Steem Hit Parade in the following category:

  • Pending payout - Ranked 3 with $ 97,69

Wow, this is absolutely wonderful!

I'm so jealous when I see very successful blogs which are not related to Steem(it).

It would be perfect to seamlessly "infiltrate" in such communities.
For example https://tangosix.rs/ aviation nuts enthusiasts from Yugoslavia. 20M people who can possibly read that and 200 comments?! Even more on some texts.

It would be like a dream to call such communities to get on board.
In order to achieve that:

  • their favourite playground must stay the same (visually)
  • the process must be very simplified
  • My maybe crazy dream: the ability to post via "Guest Account"

Do you want to comment now? Good, you will post with "guest" posting key
And there should be a small checkbox, would you like to post as Steemian? Hm, what is Steem? It looks cool... I could do that...

Do you think it's possible/ viable?

Vote, ReSteem, Witness Vote ;)

It would be perfect to seamlessly "infiltrate" in such communities

Would be great and I believe that Engrave is going in the direction which will allow us to do that.

My maybe crazy dream: the ability to post via "Guest Account"

I'm considering it from the very beginning and it will be introduced after some most necessary changes in a dashboard. Basically, the idea is to allow people to post comments without Steem account. Technically, it could be posted by blogger's account or @engrave account with additional pieces of information about a real author and blog (it could be rendered then as a guest account on blogs or something).

And we see a great opportunity here - it's possible to onboard most active commentators to Steem network - this comments could be used to "earn for an account" process. We could identify real authors by email and if this specific email earns more than 3 STEEM with their comments, we could create an account for him for free and send notification! And of course, those comments will be moderated to prevent spam or something :)

Yes! People are impulsive creatures. They want to say something Now, not in 2 hours or 2 weeks, but now.

Also, you know the rules of Pareto distribution, 1-10-90 % rules and so on. Most of the people will be just consumers. They want to read. 1/10 of them wants to Like, 1/10 of them wants to argue and 1/10 of them wants to actually write something.

Imagine a small town, 30,000 people. How many bloggers there will be? Well, maybe 30 at best, other people are living their daily boring lives. 2-3 photographers, 2-3 makeup beauty girls, 2-3 adventurers, doctors, tech enthusiasts - and that's it

Even those who write can't make more than 1 Steem/day on average, so why bothering at all to post comments for example via a private account. Who cares to hassle for 5$ per year or so.

Whish you good luck, if you need any help for "poking" people to join - call me :D

Hey, @engrave!

Thanks for contributing on Utopian.
Congratulations! Your contribution was Staff Picked to receive a maximum vote for the development category on Utopian for being of significant value to the project and the open source community.

We’re already looking forward to your next contribution!

Get higher incentives and support Utopian.io!
Simply set @utopian.pay as a 5% (or higher) payout beneficiary on your contribution post (via SteemPlus or Steeditor).

Want to chat? Join us on Discord https://discord.gg/h52nFrV.

Vote for Utopian Witness!

This post has been included in the latest edition of SoS Daily News - a digest of all you need to know about the State of Steem.



Done voting @wise-team as Witness. (My first witness vote ever) 😀

Posted using Partiko Android

Does ENGRAVE support Disqus? If not, can it support Disqus in the near future? Can you post a screenshot of the dashboard?

Hi, we do not support Disqus because every blog is fully integrated with Steem. Your readers can log in on your blog using Steem account and interact with it. In the near future, we will introduce guests comments (people without Steem account will be able to comment on your articles) but it won't be a Disqus system,

When I visit Emafe.com it isn't going to a splash page anymore @engrave, but is directed toward your homepage again. This is the problem I was experiencing before but I think you fixed it for a while.

Now it's back...

It should work fine and probably your browser just cached redirection. Try to force refresh it (use ctrl+f5)

me gusta la publicaciones

  ·  8 months ago Reveal Comment